Understanding the NIS2 Directive: Boosting Cloud Security and Compliance

NIS2 (Network and Information Systems Security Directive 2) is a regulatory framework destined to strengthen cybersecurity for critical infrastructure and service providers. It builds upon the NIS 1 Directive, which regulates network and information systems security. NIS2 was created by the European Union to enforce a modern cybersecurity strategy, having in mind new sectors and improving incident response and resilience in compliant entities. NIS2 (Directive (EU) 2022/2555) came into effect on the 16th of January 2023 and replaces NIS1, which was released in 2016. 

Differences between NIS 1 and NIS 2 

Aiming to improve the NIS1 Directive, its newer version has a few differences. Some of the key ones are: 

• NIS2 now covers more sectors than NIS1, which focused on essential services operators in sectors such as energy, transportation, banking, healthcare. NIS2 also has cloud computing services in scope. Some examples of the newly added sectors are postal and courier services, waste management, digital providers. 
• Security controls are more stringent for NIS2. A few topics covered for the cloud are data encryption, IAM, vulnerability management, zero trust principles, and incident response. 
• Penalties no longer differ from country to country like they did in NIS1; they are harmonized across the European Union. 

Key elements of NIS2 

All entities in scope should take measures to cover the most important elements, considered by NIS2 as the baseline for protecting the network, information systems, and physical environment from cybersecurity incidents. The following are the mandatory measures: 

• Policies on risk analysis and information system security, 
• Incident handling, 
• Business continuity, 
• Supply chain security, 
• Security in network and information systems acquisition, development, and maintenance, 
• Policies to assess the effectiveness of cybersecurity risk management measures, 
• Basic cyber hygiene practices and training, 
• Policies regarding the use of cryptography and encryption, 
• HR security, access control policies, access management, 
• The use of MFA or continuous authentication solutions. 

You can find more details about these requirements directly from the NIS2 directive. 

The NIS2 is crucial for implementing cybersecurity best practices and protecting critical infrastructure. Organizations can mitigate risks and contribute to a safer digital environment by adopting the mentioned requirements.  

Timeline and Deadlines

• By 17 July 2024, The European cyber crisis liaison organisation network (EU-CyCLONe) is required to submit its first report to the European Parliament and the Council, assessing its work. This report will be submitted every 18 months thereafter.

• By 17 October 2024, Member States must adopt and publish the necessary measures to comply with the NIS 2 Directive.

• Also by 17 October 2024, the Commission is required to adopt implementing acts detailing the technical and methodological requirements of the measures for various service providers.

• The application of these measures by Member States will commence from 18 October 2024. This date also marks the repeal of Directive (EU) 2016/1148 (the NIS Directive).

• By 17 January 2025, the Cooperation Group, with the assistance of the Commission and ENISA, and where relevant, the CSIRTs network, will establish the methodology and organizational aspects of peer reviews. These reviews aim to enhance Member States’ cybersecurity capabilities and policies necessary to implement this Directive. Participation in peer reviews is voluntary and will be carried out by cybersecurity experts designated by at least two Member States.

• By 17 April 2025, Member States are required to establish a list of essential and important entities, as well as entities providing domain name registration services. This list will be reviewed and updated regularly, at least every two years.

• By the same date, 17 April 2025, and every two years thereafter, the competent authorities will notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.

• The first review of the functioning of this Directive by the Commission will take place by 17 October 2027, and subsequently every 36 months, with a report to be submitted to the European Parliament and the Council.

FAQ on NIS2 Directive

• What is the goal of the NIS2 Directive?

  It aims to enhance cybersecurity resilience for the EU's critical infrastructure and digital service providers.

• Who does the NIS2 Directive apply to?

  It applies to entities that provide essential or important services to the European economy from different sectors such as energy, transportation, healthcare, finance, but not limited to those.

• How does the NIS2 Directive affect cloud providers?

  Cloud providers must implement robust security measures to comply with the directive and protect services from cyber threats.

• What happens if you don't comply with the NIS2 Directive?

  Non-compliance can lead to penalties such as fines and sanctions, along with increased cyber risks and disruptions to critical services.

• How can organizations comply with the NIS2 Directive?

  By conducting risk assessments, implementing security controls, establishing incident response procedures, and promoting cybersecurity awareness.

You can perform a free risk assessment right now to see where your company stands in terms of cloud security and find out the most actionable insights that can improve your business’ cloud security posture.